CVE-2016-8581

MEDIUM

AlienVault OSSIM & USM <5.3.2 - XSS

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-8581. PoCs published by Peter Lapp, Sasha Zivojinovic, including Metasploit module exploits/linux/http/alienvault_sqli_exec.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Alienvault OSSIM/USM <=5.3.1, where malicious JavaScript injected via the User-Agent header executes when mousing over the User-Agent field in the 'Current Sessions' page. The PoC sends session IDs to an arbitrary site (Google in this example).

Description

A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the current sessions are viewed by an administrator.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Peter Lapp · textwebappsphp

https://www.exploit-db.com/exploits/40683

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Alienvault OSSIM/USM <=5.3.1, where malicious JavaScript injected via the User-Agent header executes when mousing over the User-Agent field in the 'Current Sessions' page. The PoC sends session IDs to an arbitrary site (Google in this example).

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Alienvault OSSIM/USM <=5.3.1

No auth needed

Prerequisites: Access to the login page to inject the malicious User-Agent header

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Sasha Zivojinovic · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/alienvault_sqli_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated SQL injection vulnerability in AlienVault OSSIM to retrieve an admin session ID, then leverages it to execute arbitrary commands via policy creation. The exploit chain involves SQLi for session hijacking followed by RCE through policy manipulation.

Classification

Working Poc 100%

Attack Type

Sqli | Rce

Complexity

Moderate

Reliability

Reliable

Target: AlienVault OSSIM <= 4.3.1

No auth needed

Prerequisites: Network access to the target · SQL injection vulnerability in graph_geoloc.php · Admin session must exist

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/93862

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40683/

Vendor Advisory x_refsource_confirm

https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities

Scores

CVSS v3 6.1

EPSS 0.1706

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

alienvault/open_source_security_information_and_event_management < 5.3.1

alienvault/unified_security_management < 5.3.1

Published Oct 28, 2016

Tracked Since Feb 18, 2026